Wednesday morning we attended the IBM Security Forum Nordic, as a continous work to keep a finger on the pulse of industry trends. The forum was presented as a webcast where we had the opportunity to listen to some of IBM’s top security experts here in the Nordics. During the morning we had the chance to listen to three inspiring talks and their discussion regarding how to move forward in the ever-changing cybersecurity landscape.
Security is better in the cloud
The first presentation covered cloud security and the journey businesses must embark on when moving to the cloud. Magnus Lindkvist, Cloud Security Practice Lead, IBM Nordics, the speaker, was able to shed light on how the industry is tackling this journey. As Magnus briefly presented different kinds of cloud services, and different solutions (IaaS, PaaS, SaaS) he shed some light on the importance of shared responsibility and how the industry is seeing hybrid cloud as the most sought after solution.
Magnus also discussed how businesses uses different cloud providers creating a heterogeneous environment and the difficulties in concretizing where the edge of responsibility is, both for the user and the providers. To wrap up his talk, he highlighted the importance of understanding your data and where it is located in the cloud.
Risk Quantification
Ali Yaqoob, Security Strategy Risk and Compliance Lead, IBM Nordics, talked about the importance of risk quantification. Putting numbers on risk, is a difficult, but a necessary next step for organizations in order to translate some security requirements to a language that is spoken by managers. Ali was discussed how the risk assessment is suffering due to inconsistent terminology and the subjectivity of qualitative risk assessment.
In order to aid in the quantification of risk, Ali prompted the use of the FAIR Methodology and how it works well to complement ISO27001, NIST and COSO. As he was finishing his talk, he acknowledges that all risk assessment will in fact be somewhat subjective, and it is impossible to quantify every risk in an organization.
Zero Trust
Last but not least, Magnus Wennergren, Competency Lead, Identity and Access Management, IBM Nordics talked about the shift towards Zero Trust Paradigm. He discussed how the IT environment has moved out from its protected castle (Many to one, centralized IT environment) and on to a Any-to-Any environment where the line between personal devices and professional devices is basically erased. Especially during these pandemic time, we are working from any-and-everywhere, so it is not possible to stay safe (but were we?) behind castle walls.
With Zero-trust, each resource needs to define its own parameter, in what IBM calls Micro Segmentation. Each resource needs to enable the right user, under the right condition, to have the right access, to the right data, at the right time.
Wrapping up
Overall it was interesting to listen to each presentation and how they, the speakers, together with the moderator Ylva M Andersson and Business Unit Leader, Kaja Narum continued with a health discussion involving each topic and how they related. Overall the discussion and the entire forum boils down to a continuous trend of miscommunication between security teams and top management. CISO and IT security teams needs to enable the business to do business in an insecure world – NOT be the police and block development.
The forum ended with some final advice:
- Speak the same language.
- Trust is good, verify better, build trust on solid foundation.
- Have a strategy.
- Advise the board members and top leaderships to test them under a cyberattack.